Group dismisses reports the malware was created by Iran.
Ransomware is evolving to target the industrial control systems that manage operational technology used in electric utilities and sewage treatment plants, cybersecurity firm Dragos says in a report out today.
Those behind ransomware often attempt to encrypt sensitive data of entities like hospitals and cities until the owners pay them to unlock it.
“The identification of industrial process targeting within the ransomware described in this report is unique and represents the first known ICS-specific ransomware variants,” the report reads, referring to a ransomware called EKANS and its parent, MEGACORTEX.
The report was previously made available to Dragos’ threat intelligence customers but the company is making it public due to interest the ransomware has received in recent days.
Dragos, which specializes in industrial systems, evaluated allegations by an Israeli cybersecurity company tracing the malware back to Iran and found links to be “tenuous.” The Dragos report notes that while major industrial control systems were previously thought to be the domain of nation-state actors, the ransomware the company analyzed indicates the involvement of non-state actors pursuing financial gain rather than geopolitical strategies.
Officials at the Cybersecurity and Infrastructure Security Agency have been warning critical infrastructure owners to be on alert for cyberattacks from Iran following the U.S. removal of General Qassem Soleimani by airstrike.
“While any connection to ‘strategic interests’ are possible given the size and scope of most states’ long-term strategy, Dragos analysis finds any such link to be incredibly tenuous based upon available evidence,” the report reads.
Dragos said “markers” referenced in the allegations naming Iran as “the immediate suspect” were simply not present.
While the EKANS ransomware has “limited functionality,” Dragos said its “nature represents a relatively new and deeply concerning evolution in ICS-targeting malware. Whereas previously ICS-specific or ICS-related malware was solely the playground of state-sponsored entities, EKANS appears to indicate non-state elements pursuing financial gain are now involved in this space as well, even if only at a very primitive level.”
The cyber firm listed ways asset owners might protect themselves stressing “time is of the essence.”
CISA hosts the Industrial Control Systems Joint Working Group for the purpose of sharing information. The group is planning a webinar for March 11 on the unique qualities of operational technology and why it needs “special attention.”